just another infosec blog

Train tickets, plastic and apps

Norwegian State Railways (NSB) is a funny company when it comes to leading technology forward. The regular paper based ticked is assumed to be put out of use soon and will be replaced by apps and a plastic version of the former said ticket. Being an electronic frontiers man sure sounds fun, eh?

Let’s discuss the apps first. I suppose you know my stance regarding apps. If not – I hate apps for various reasons. That said – with the apps you are able to buy tickets and store them on your phone. Sure beats those none battery powered paper based ones that just works – huh? Anyhow, the key here is a QR code that displays on the screen. Whenever there’s a ticket control the conductor must scan this QR with a multipurpose handheld terminal. So far so good. But actually – no. It isn’t. From what I’ve seen those handheld terminals can’t read glossy screen that well. Or when the sun reflects. My problem is the QR part. Since they scan it – how do they validate it? What does it contain and what does the terminal do? What can I do with it? And what can people do to harm me?

It would be interesting to get hold of such a terminal. Maybe craft a QR with a custom binary sequence to it. If the terminal is able to go online – could I inject some, say, Javascript to it? An SQL injection perhaps. I wish there was a whitepaper floating around that could assure me that the device can’t be fooled into screwing me over. Also – in the nature of apps. Why is only Android and iPhone supported? I know that people using Microsoft Windows phones are few, and Bing users even fewer. But by only supporting these two phone OS’s you really kill the competition. And for those occasions NSB has a plastic version of the paper ticket.

The plastic ticket is a credit card sized thingy. You “charge” the ticket at the ticket booth. At each ride you must validate it by holding it close to a reader stationed outside of every train station in Norway. I have got no clue about the technology they use for this. It might be RFID or Near Field Communication. You can also validate it when there’s a ticket control – but the conductor will give you the evil eye. Since you must validate the card using the reader I was wondering how secure is the reader actually? I would imagine there exist a special kind of card that gives you elevated access. I’ve seen the conductors fiddling with the readers and doing things I’m not able too. That means, they’re able to validate my card when I can’t. Could I manage to get access to this by manipulating my card? Could I manipulate the reader in some other way? Is it secured at all?

I’m not saying I am going to. But it is interesting to think about it. In my honest opinion NSB should release a whitepaper describing the security aspect. When it comes to QR codes I am a bit skeptic. A QR code is quite generic. You can find many generators on the net and possibly do much harm. But what about the following scenario:

Student A forgets to lock her iPhone before leaving for lunch. Student B notices this and rushes to take a screenshot of the electronic ticket. Since iPhones comes with a very good e-mail tool student B sends this screenshot to his friends. Student B isn’t too stupid so he deletes the sent e-mail from the iPhone to cover his tracks.

With that scenario the ticket is shared among many. Would the conductor even know? Would student A know?